fix: address PR review feedback

claude · claude · commit d1e532f82656 · 2026-02-19T07:25:18.000Z
- Switch all branch references from `master` to `main` to match the repo's actual default branch (ci.yaml, release.yaml, .releaserc.yaml, README.md). Without this, CI won't trigger on PRs and releases won't run on merge. - Replace nondeterministic `docker load | docker tag $(head -1)` with `skopeo copy oci-archive:... docker-daemon:...` for a deterministic image load into the Docker daemon. - Combine the first three apt-get RUN layers (system upgrade, deadsnakes Python, skopeo/buildah) into a single layer to reduce image size and redundant apt-get update calls. - Fix README: pin RUNNER_VERSION=2.321.0 in the example manifest (was `latest`), replace update-tools workflow reference with Renovate, update project structure tree. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,7 +2,7 @@ name: CI
 
 on:
   pull_request:
-    branches: [master]
+    branches: [main]
 
 permissions:
   contents: read
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -2,7 +2,7 @@ name: Release
 
 on:
   push:
-    branches: [master]
+    branches: [main]
 
 permissions:
   contents: write
@@ -95,8 +95,7 @@ jobs:
           buildah push "${IMAGE_NAME}:${IMAGE_VERSION}" "oci-archive:build/${IMAGE_NAME}.tar"
 
           # Load into Docker daemon for dive scan
-          docker load -i "build/${IMAGE_NAME}.tar"
-          docker tag "$(docker images -q | head -1)" "${IMAGE_NAME}:${IMAGE_VERSION}"
+          skopeo copy "oci-archive:build/${IMAGE_NAME}.tar" "docker-daemon:${IMAGE_NAME}:${IMAGE_VERSION}"
 
       - name: Dive filesystem scan
         env:
diff --git a/.releaserc.yaml b/.releaserc.yaml
@@ -1,5 +1,5 @@
 branches:
-  - master
+  - main
 
 plugins:
   - "@semantic-release/commit-analyzer"
diff --git a/Containerfile b/Containerfile
@@ -6,29 +6,17 @@ ARG APP_HOME=/home/runner
 
 USER root
 
-# Update and upgrade the system
-RUN apt-get update \
-    && apt-get upgrade -y \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* \
-    && apt-get autoremove -y \
-    && apt-get autoclean -y
-
-# Add Python 3.12, 3.13 and 3.14
-# Add deadsnake apt repository
+# System upgrade, Python 3.12/3.13/3.14 (deadsnakes), skopeo, buildah
 # hadolint ignore=DL3008
 RUN apt-get update \
+    && apt-get upgrade -y \
     && apt-get install --no-install-recommends -y gnupg ca-certificates software-properties-common curl \
     && DEBIAN_FRONTEND=noninteractive add-apt-repository -y ppa:deadsnakes/ppa \
     && apt-get update \
-    && apt-get install --no-install-recommends -y python3.12 python3.13 python3.14 \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install skopeo and buildah
-# hadolint ignore=DL3008
-RUN apt-get update \
-    && apt-get install --no-install-recommends -y skopeo buildah \
+    && apt-get install --no-install-recommends -y \
+       python3.12 python3.13 python3.14 \
+       skopeo buildah \
+    && apt-get autoremove -y \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/README.md b/README.md
@@ -44,13 +44,13 @@ These tools allow the image to run its own build pipeline as a self-hosted runne
 
 | Workflow | Trigger | Description |
 |----------|---------|-------------|
-| **CI** | Pull request to `master` | Commitlint, hadolint lint, test build |
-| **Release** | Push to `master` | Semantic release, build, scan, push to GHCR |
-| **Update tools** | Weekly (Monday 08:00 UTC) / manual | Checks for new tool versions, opens a PR |
+| **CI** | Pull request to `main` | Commitlint, hadolint lint, test build |
+| **Release** | Push to `main` | Semantic release, build, scan, push to GHCR |
+| **Renovate** | Automated | Keeps tool versions and dependencies up to date via PRs |
 
 ### Release process
 
-Releases are fully automated via [semantic-release](https://github.com/semantic-release/semantic-release). Pushing to `master` triggers version analysis based on [Conventional Commits](https://www.conventionalcommits.org/):
+Releases are fully automated via [semantic-release](https://github.com/semantic-release/semantic-release). Pushing to `main` triggers version analysis based on [Conventional Commits](https://www.conventionalcommits.org/). Tool versions are kept up to date automatically by [Renovate](https://docs.renovatebot.com/).
 
 | Commit prefix | Version bump |
 |---------------|-------------|
@@ -99,7 +99,7 @@ registry: ghcr.io/deerhide/python-github-runner
 build:
   format: oci
   args:
-    - RUNNER_VERSION=latest
+    - RUNNER_VERSION=2.321.0
     - ARGO_VERSION=3.6.4
     - KARGO_VERSION=1.9.2
     - PACK_VERSION=0.36.4
@@ -186,8 +186,8 @@ git commit -m "WIP"
 ├── .github/
 │   └── workflows/
 │       ├── ci.yaml                      # PR validation
-│       ├── release.yaml                 # Semantic release + build + push
-│       └── update-tools.yaml            # Automated tool version updates
+│       └── release.yaml                 # Semantic release + build + push
+├── renovate.json                        # Renovate dependency update config
 └── scripts/
     ├── builder.sh                       # Local build orchestration
     ├── install_tools.sh                 # Build tool installer
